Failed to deploy falco on GKE

[Kaizhe]

What happened: Failed to deploy falco on GKE

What you expected to happen: Falco run successfully on GKE

How to reproduce it (as minimally and precisely as possible): Bring up a GKE cluster (default one), deploy falco from market place

Anything else we need to know?:

Kaizhes-MacBook-Pro:rules kaizhehuang$ kubectl logs -f falco-security-1-fkc8b 
* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /proc/config.gz
* COS detected (build 11647.329.0), downloading and setting up kernel headers
* Downloading https://storage.googleapis.com/cos-tools/11647.329.0/kernel-src.tar.gz
* Extracting kernel sources
* Configuring kernel
scripts/sign-file.c:25:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.
make[1]: *** [scripts/Makefile.host:102: scripts/sign-file] Error 1
make: *** [Makefile:574: scripts] Error 2
* Trying to compile BPF probe falco-probe-bpf (falco-probe-bpf-0.14.0-x86_64-4.14.145+-e2bdf498e5c7b4a4b60c9d2f4c53f14d.o)
In file included from /usr/src/falco-0.14.0/bpf/probe.c:23:
/usr/src/falco-0.14.0/bpf/fillers.h:2006:26: error: no member named 'loginuid' in 'struct task_struct'
                loginuid = _READ(task->loginuid);
                                 ~~~~  ^
/usr/src/falco-0.14.0/bpf/plumbing_helpers.h:18:28: note: expanded from macro '_READ'
#define _READ(P) ({ typeof(P) _val;                             \
                           ^
In file included from /usr/src/falco-0.14.0/bpf/probe.c:23:
/usr/src/falco-0.14.0/bpf/fillers.h:2006:26: error: no member named 'loginuid' in 'struct task_struct'
                loginuid = _READ(task->loginuid);
                                 ~~~~  ^
/usr/src/falco-0.14.0/bpf/plumbing_helpers.h:20:44: note: expanded from macro '_READ'
                    bpf_probe_read(&_val, sizeof(_val), &P);    \
                                                         ^
In file included from /usr/src/falco-0.14.0/bpf/probe.c:23:
/usr/src/falco-0.14.0/bpf/fillers.h:2006:12: error: assigning to 'kuid_t' from incompatible type 'void'
                loginuid = _READ(task->loginuid);
                         ^ ~~~~~~~~~~~~~~~~~~~~~
3 errors generated.
make[2]: *** [/usr/src/falco-0.14.0/bpf/Makefile:33: /usr/src/falco-0.14.0/bpf/probe.o] Error 1
make[1]: *** [Makefile:1543: _module_/usr/src/falco-0.14.0/bpf] Error 2
make: *** [Makefile:18: all] Error 2
mv: cannot stat '/usr/src/falco-0.14.0/bpf/probe.o': No such file or directory
* Trying to download precompiled BPF probe from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-bpf-0.14.0-x86_64-4.14.145%2B-e2bdf498e5c7b4a4b60c9d2f4c53f14d.o
curl: (22) The requested URL returned error: 404 Not Found
* Failure to find a BPF probe
Wed Nov  6 22:13:23 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Nov  6 22:13:23 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Wed Nov  6 22:13:25 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Wed Nov  6 22:13:25 2019: Unable to load the driver. Exiting.
Wed Nov  6 22:13:25 2019: Runtime error: can't open BPF probe '/root/.sysdig/falco-probe-bpf.o': No such file or directory. Exiting.

Environment:

• Falco version (use falco --version):
• System info <!-- Falco has a built-in support command you can use "falco --support | jq .system_info" -->
• Cloud provider or hardware configuration: GKE
• OS (e.g: cat /etc/os-release): Google COS
• Kernel (e.g. uname -a): Linux gke-k8s-research-2-default-pool-f13e4da8-cs4g 4.14.145+ #1 SMP Tue Oct 8 03:03:11 PDT 2019 x86_64 Intel(R) Xe on(R) CPU @ 2.30GHz GenuineIntel GNU/Linux
• Install tools (e.g. in kubernetes, rpm, deb, from source):
• Others:

[chattarajoy]

facing the same issue. Can someone look into this?

[Kaizhe]

cc @mstemm , might be related to the kernel module ?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kbojjireddy]

I'm facing the same issue

[chattarajoy]

I changed the instance types to ubuntu based instead of containerd ones and it worked

[fntlnz]

It should work now with COS, if anyone else is wondering.

[tdickman]

@fntlnz I'm still running into this with COS.